Records management

Assess your records management policy and risks to people’s personal information. Includes record creation, storage and disposal, access, tracking and off-site storage.


Records management organisation

Your business has defined and allocated records management responsibilities.

You should assign lead responsibility for records management within the organisation at a level of seniority high enough to be able to affect change to policy, process and culture. Where resources are available, you should nominate an appropriately skilled records management lead to coordinate the management of records within the business. This may be combined with other roles within the organisation.


Records management policy

Your business has approved and published an appropriate records management policy. This is subject to a regular review process.

A policy will enable you to address how records are used within your organisation in a consistent manner. This can be part of a general policy or a standalone policy statement that is supported by specific records management procedures such as storage and maintenance of records or disposal of records. The policy should clearly set out your business's approach to records management and as a minimum should address the organisation's overall commitment, the role of records management, references to related policies and documents, staff roles and responsibilities and monitoring of compliance. The National Archives has developed comprehensive guidance on how to create an effective records management policy.


Records management risk

Your business has identified records management risks as part of a wider information risk management process.

You should carry out regular exercises to identify, assess and manage records management risks. This process simply seeks to identify what might go wrong with a process and why. Measures can then be put in place to mitigate these risks. Where a corporate risk register is already in place this can be used to record risks to records management functions; these might include records not being updated, not being destroyed in a timely manner or not being held securely.


Records management training

Your business incorporates records management (RM) within a formal training programme. This comprises mandatory RM induction training with regular refresher material, and specialist training for those with specific RM functions.

You should brief all staff on their responsibilities for the creation, use, maintenance and eventual destruction of records on or shortly after appointment with regular updates to maintain levels of awareness. Awareness materials might include posters, office wide emails, intranet updates, records management content in newsletters. Staff with specific records management responsibilities such as management of disposal schedules, monitoring of data quality or oversight of records management practice should receive appropriate training in order to allow them to carry out their role effectively.



Your business has established written agreements with third party service providers that include appropriate information security conditions. Your business ensures the protection of personal data that is accessed by suppliers and providers.

Many small businesses outsource some or all of their data processing requirements to hosted (including cloud based) services eg for archiving purposes, confidential waste disposal or IT network services. You should be satisfied that these 'data processors' will treat your information securely as your business will be held responsible under the DPA for what they do with the personal data. You must choose a provider that gives sufficient guarantees about its security measures. For example, you might review copies of any security assessments and, where appropriate, visit their premises to make sure appropriate security arrangements are in place. You must also have a written contract setting out what the provider is allowed to do with the personal data and requiring them to take the same security measures you would have to take to comply with the DPA.


Monitoring and reporting

Your business carries out periodic checks on records security and there is monitoring of compliance with records management procedures. The outcomes of any records security checks or compliance monitoring is measured against key performance indicators to provide strategic oversight to those with overall responsibility for RM.

You should develop ways of checking staff compliance to ensure policies and procedures are adhered to eg after hours desk sweeps to ensure compliance with clear desk policy, checks of disposal procedures to ensure that confidential waste is being disposed of correctly. Performance measures might include progress against a records management action plan, archive retrieval rates measured against a service level agreement (SLA), progress regarding deletion of records against requirements of a retention schedule or data quality and accuracy. Reports on performance to KPIs should be reported periodically to management to provide assurances on compliance.


Record creation

Your business has minimum standards for creation of paper or electronic records and has established processes to ensure that there is a legitimate purpose for using personal data prior to collecting it.

You should ensure procedures and guidelines for referencing, titling and indexing new records are in place to control access to those records and allow for efficient management, retrieval and disposal. If the collection of data is in your organisation's legitimate interests, and is fair and lawful, you will most likely comply with the DPA. Although emails are often perceived differently to other records, they still contain information which has a wider business purpose as well as personal or sensitive personal data, so you should managed them in a consistent way.


Records inventory

Your business has identified manual and electronic record keeping systems throughout the organisation and actively maintains a centralised record of those systems.

In order to ensure that personal data is managed effectively and securely it is necessary for you to know what information you hold and how. As such it may be necessary to carry out an 'information audit' or 'records survey' to identify records and data sets held by the organisation. This process will help in determining which business functions create certain records, which records are vital to the functioning of the business, where they are kept, how long they are kept for and who needs to use them now and in the future. Once this information is gathered it may allow for the development of retention and disposal schedules, improved security practices, and the development of disaster recovery processes.


Information standards

Your business has processes in place to ensure that personal data that is collected is accurate, adequate, relevant and not excessive. Routine weeding is also carried out to remove any personal data or records that are no longer relevant or out of date.

The DPA requires that personal data is accurate and up to date. What is considered to fall under these categories will change over time and as an organisation's business needs change. You should have processes in place to ensure that personal data which is inaccurate or is out of date is removed from records on a regular basis. You should have a process in place to ensure that you take reasonable steps to ensure the accuracy of personal data collected and to deal with challenges to the accuracy of personal data from individuals about whom information is recorded over time. This should allow for the personal data to be amended, removed or clarified where appropriate. The DPA says that personal data should be adequate, relevant and not excessive. If you do not make decisions regarding what personal data you should hold for your business purposes then you are at risk of collecting excessive data and infringing the privacy of an individual, or you may hold too little to facilitate effective decision making about those individuals. Again what is adequate, relevant and not excessive will change with business need.


Tracking and offsite storage of paper records

Your business has tracking mechanisms to record the movement of manual records and ensure their security between office and storage areas and also in instances where records are taken offsite.

In many circumstances employees will be required to take paper records offsite in order to work remotely, eg to visit service users or to attend court hearings. Equally you may wish to store archived records offsite due to limitations on space within your offices. When doing so, you should have appropriate procedures in place to ensure that your business knows what records are offsite and who is holding them so you can recover them if necessary or destroy them when they reach the end of their retention period. When transferring data offsite, it should be minimised, use an appropriate form of transport, eg secure courier for sensitive personal data, log the transfer in and out where appropriate and put checks in place to ensure that data is received. Security measures which you could use include lockable containers, tamper evident packaging, and removal from public view and accessibility.


Offsite transfer of electronic records

Your business has appropriate measures in place for the transfer of electronic records offsite to protect personal data from loss of theft.

Personal data may be transferred offsite using electronic means such as email or removable media eg USB sticks or DVDs. CDs, DVDs, USB drives, smartphones and tablet devices in particular are highly vulnerable to theft or loss. When transferring data offsite, it should be minimised, you should use an appropriate form of transport eg secure courier for sensitive personal data, you should log the transfer in and out where appropriate and check that data has been received. Security measures which you could use include tamper evident packaging, and storage on encrypted devices. Where there is a business need to transfer personal data via email or removable media, personal data should be minimised and encrypted. You could use other secure methods such as Secure Transfer Protocols (STP).


Secure storage of records

Your business stores paper and electronic records securely with appropriate environmental controls and higher levels of security around sensitive personal data.

You should use lockable offices, cabinets and drawers to store records, with higher levels of security for records containing sensitive personal data. You should store keys securely and lock records away when staff are absent for extended periods, eg overnight. Where screens are left unattended they should be locked to avoid unauthorised access, theft, destruction or alteration of the data displayed with no clear audit trail. Environmental controls might include waterproofing and drainage to protect against flood risk, fire protection such as use of fire resistant or fire proof materials, fire control systems and heating to protect against damp.


Access to paper records

Your business restricts access to records storage areas in order to prevent unauthorised access, damage, theft or loss. Access should be role based in line with the principle of least privilege and checked regularly.

In order to reduce the risk of unauthorised access you should consider who needs access to what personal data in order to fulfil their function. For example, it is likely that only specific members of staff would need access to HR records. In such instances, you should limit access by means of keys, swipe cards, pin codes or other security measures.


Access to electronic records

Your business has a process to assign user accounts to authorised individuals and to remove them when no longer appropriate. Such access should be granted on the basis of least privilege and have appropriate access controls in place.

Access to systems holding personal data should be authorised by management, and user permissions restricted to the absolute minimum (known as 'least privilege'). Each user should be assigned their own username and password to ensure accountability. You should review access permissions periodically to ensure the privileges granted continue to be based on business need and have been correctly authorised. The frequency of review will depend on the level of privilege granted to the user. A 'brute force' password attack is a common threat so you need to enforce strong passwords, regular password changes, and limit the number of failed login attempts. You should also monitor user activity to detect any anomalous use. Passwords should not be shared unless there is a justified business need and authorisation. Passwords should be promptly disabled when a user changes duties or leaves the organisation.


Business continuity

Your business has business continuity plans in place. These identify records that are critical to the continued functioning or reconstitution of the organisation in the event of a disaster. Data that is stored electronically is routinely backed-up to help restore information in the event of disaster.

Every organisation will hold data which it cannot function without. You should assess the data held and its criticality to business functions and put plans in place to prepare for serious disruption. You should take regular backups so that you can restore personal data stored electronically in the event of disaster or hardware failure. The extent and frequency of backups should reflect the sensitivity and confidentiality of the personal data, and its criticality to the continued operation of the business. Ideally you should store backups offsite.


Disposal of data

Your business has a retention and disposal schedule in place which details how long manual and electronic records will be kept for. Your business has defined confidential waste disposal processes in place to ensure that records are destroyed to an appropriate standard once a disposal decision has been made.

Once you have completed a records survey, you can assign retention periods to records and data sets. Records can then be destroyed once they reach the end of this retention period. You can destroy paper records in a variety of ways including cross cut shredding or incineration. The method of destruction should match the sensitivity of personal data being destroyed and you should carry out checks to ensure that staff are complying with the procedures. Electronic records should also be deleted from systems, however where this is not technically possible, they should be 'put beyond use'. Where every day confidential waste is awaiting disposal it should be stored securely for example in lockable confidential waste bins. Larger storage areas may be required for disposal of large amounts of personal data once it has been weeded from records to be retained.